Feature #969
Direct Client->Foreman communication shouldn't be needed (and moved to the Proxy)
| Status: | New | Start: | 06/09/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - | |||
| Backlog: | No | Difficulity: | ||
| Votes: | 4 (View) |
Description
When provisioning a machine, the client needs to access foreman unattended urls, such as:
http://foreman/unattended/kickstart
and
http://foreman/unattended/built
That means firewall open to foreman (and the API).
I think the architecture and security would improve if Foreman could be as isolated as possible, not depending on being open to the machines it manages... Those tasks should be left to the proxy.
The suggested solution:
Client communications directed to Foreman should me moved to proxy (in this case, the one running on the master) so you only need port 8140(puppetmaster) + 8443 (foreman-proxy) open.
Note:
The proxy doesn’t really need to simply forward the request (although this is also a valid initial solution). It could have some intelligence to validate them or serve the unattended itself (pre fetching template information or something like it)…
Related issues
| related to Foreman - Feature #1069: Unattended install behind firewall and built status | New | 07/26/2011 | ||
| related to Foreman - Bug #1208: Unauthenticated IP spoofing should not be allowed | Closed | 10/04/2011 |
History
Updated by Marcello de Sousa 6 months ago
I can't use foreman in production with this issue so a workaround I'm using at the moment is to add to the vhost something like this:
<Location />
Order Deny,Allow
Deny from all
Allow from <my allowed nets ex: 192.168.0.0/24>
Allow from 127.0.0.1
</Location>
<Location ~ "^/unattended/(kickstart|built)$" >
Order Deny,Allow
Deny from all
Allow from <my client nets where only unattended should be available>
</Location>
